Hi Security Team and pkg-javascript-devel team,

may i have your opinion on this discussion about having a shared v8 package
maintained by nodejs LTS support ?

Please CC all.

2015-10-01 10:25 GMT+02:00 Moritz Mühlenhoff <mmuhlenh...@wikimedia.org>:

> Hi,
> yes i'm in favor of getting latest nodejs LTS into next debian release (be
> it 4.1 or 4.2,
>> but certainly not 5.0).
> 4.1.1 is the next LTS: https://github.com/nodejs/LTS/

I'm not reading anything on that page regarding version 4.1.1 ? The
documentation there
is a bit outdated and doesn't reflect current choices - they mention
versions and dates as
mere examples to explain their plans.

The next LTS might not be released in time for stretch:
> https://wiki.debian.org/DebianStretch
> Do you plan to stick with one version for the nodejs packages or to make
> them co-installable?

One version.
If there is a new nodejs LTS several months before Stretch transition
then considering an update is reasonable. Future transitions are likely to
be less painful
than the nodejs 0.10 -> 4 one:
- pure js modules are mostly forward-compatible
- c++ addons API compatibility is getting better with node-nan 2.x - most
of the time
  updating node-nan and rebuilding addons will be fine.

I'm thinking of updating v8 debian package and linking against it in nodejs
>> 4 - as you know
>> that wasn't a good idea for libv8-3.14 / nodejs 0.10 as it required too
>> much work.
>> It could be more successful and maintainable if we directly use the
>> nodejs v8 bundled copy,
>> thus taking advantage of nodejs LTS security patches and enlightened
>> choices.
> Currently nodejs is the only rdep of libv8-3.14-dev (chromium uses the
> bundled version as well).
> Given that libv8 is an unmaintainable mess I'm personally in favour of
> abandoning the packaged
> libv8 in favour of nodejs using the bundled version (since currently
> nodejs is essentially
> security-unmaintained in jessie)

But nodejs isn't actually the only rdep, you should check libv8-dev rdeps
as well:
weechat, uwsgi, mongodb, osmium, plv8.
The mess came from lack of v8 LTS and version ABI support.
Now that nodejs LTS is just doing that work, a shared v8 would benefit from

But I can't/won't decide on this on my own, please contact
> t...@security.debian.org for a broader


> PS: could we bring this discussion to pkg-javascript-devel for their
>> information ?
> Sure, please CC me, I'm not CCed.


Pkg-javascript-devel mailing list

Reply via email to